January 7, 2019

Technology and Psychology – The Cybercriminal’s Toolkit


In our Security Awareness for… series, we’ve already looked at what Chief Executives and Heads of Information Security want from security awareness training , so now we turn to consider what the Head of Information Security seeks.


If you’d asked anyone about Cybersecurity problems ten years ago you’d likely get a shrug of the shoulders and a nonchalant look. Today, you would have to have been asleep for several years not to have noticed that cybercrime has hit the roof and security incidents have impacted the minds, and pockets, of us all.


One of the innovations that has given cybercriminals the upper hand has been the use of not only technology but human psychology to enact their criminal activities. Many modern cyber threats use our own behaviour as part of an often, multi-pronged attack. The jigsaw puzzle needed to fix cybercrimes is complicated. The result of cybercriminal activity can be seen in the statistics collated by industry analysts and firms fighting on our side.


  • Number of breaches. In 2017, we saw a doubling of cyber attacks. Companies of all sizes and types were under siege. Statistics by the UK government has found over 40% of businesses experienced a cyber attack in 2017 with that number rising to over 70% for larger firms. We witnessed major breaches like the Uber and Equifax data leaks in which hundreds of millions of personal data records were exposed. In 2016, there was a reported ransomware attack every 40 seconds As we move into 2018/2019 the attacks are morphing into new methods such as cryptojacking which saw an increase of 8500% in 2017.
  • Cost of breaches. The Ponemon Institute provides an annual insight into the costs of cybercrime across all types of organisations. In their 2017 report, they found that in the UK, for example, the average cost of a data breach was £2.48 million
  • Type of breaches. The one thing you can predict about cybercrime is that it is ever-changing. Breaches, however, focus on certain core outcomes which include: the theft of data; denial of service (e.g. to shut a website down); sabotage; and, financial theft, including ransomware. Cybercriminals use a variety of techniques to achieve their end goal. This includes: web attacks such as SQL injection and XSS; phishing to steal login credentials or install malware; Distributed Denial of Service (DDoS); Business Email Compromise (BEC). One thing you can be sure of is that cybercriminals innovate.


All in all, the landscape of cybercrime is convoluted, complex, and changing. It takes an intelligent and proactive approach to deal with this and make headway.


In this short series of articles, we will take a look at how having an awareness of cybersecurity threats and building a culture where security becomes second nature, affects different organisational roles. And, how applying security awareness campaigns to combat cybercrime, places the ball in the court of your organisation, rather than the cybercriminal’s hands


The IT Director On Security

IT Directors are at the root of all things Info tech in an organisation – this means that their tech fingers are in every tech pie going. The role of the IT Director can be many things to many people; generally, you are the person who makes digital transformation actually happen. This places you in a key position with respect to data security too.


Data and human beings make the modern enterprise tick. And no one has been more involved in the changes in the lifecycle of data, and how human workers interact with it than the IT Director. As business operations and work models have moved rapidly from closed infrastructures to open and extended Cloud-based computing, cybersecurity threats have come along for the ride. The IT Director has an up-close and personal relationship with cybersecurity threats, as the cybercriminal pulls on the coattails of progress.


The IT Director sits in a pivotal position within an organisation – cyberthreats touching all of the areas that the role reaches – here are some ways that the cybercriminals keep the IT Director and their IT Managers awake at night:


  • A change for good and a change for bad. In your role as IT Director you will be pushing for change across the entire organisation to streamline and improve productivity and help internal innovation. This means you will be exploring new technologies such as Cloud servers and apps, IoT, big data analytics, and AI. These technologies are like the digital equivalent of Tinder’s “swipe left” as far as cybercriminals are concerned. Being based on valuable data, and opening up the threat landscape by being hyperconnected, gives the cybercriminal new means of attack.
  • Who is to blame? An IT Director is in a position of trust and has much responsibility. But you will not have the specialist security knowledge of your Chief Information Security Office (CISO) or equivalent. And, the blame game has to start somewhere and often the IT Director and IT Managers will be drawn into the incident as it unfolds. Nasty cyberattacks, such as ransomware incidents, have a habit of impacting an entire, or a large part of, an organisation’s vital infrastructure. This was the case in a recent ransomware attack on Bristol Airport which resulted in a blackout of flight display screens for two days. In these situations, “who you going to call? IT Director!”
  • Spreading the load on a big plate. As if being in charge of your organisation’s IT infrastructure and future technology plans isn’t enough, cybersecurity threats are now part of the remit of the Chief Technology Officer (CTO). This ultimately means that anyone, such as an IT DIrector, that reports to a CTO, also has to add cybersecurity to their list of jobs.


The role of IT Director and IT Manager has a very wide scope. Not only does it require the type of skills that can blend your company business strategy and goals with old, new, and emerging technologies, but it now needs you to add cybersecurity to the list. However, as head of company technical operations, you are well placed to take on the cybercriminal at their own game.


What security awareness can offer the IT Director and IT Manager


As an IT Director you and your team, have applied your experience and knowledge to build a robust and usable technology infrastructure for your business. The last thing you want to happen is to let some malicious element take control of those systems and ruin everyone’s hard work. This is why cybersecurity and the threats it poses to your organisation, need to be part of your overall technology strategy; cybersecurity know-how needs to be intrinsically woven into your operations to become second nature.


Adding in a layer of cybersecurity knowledge is all part of building a wider company ethos and culture of security. When something becomes an intrinsic part of a strategy it is more easily applied and adhered to.


Security awareness training helps to build a culture of security by education in just what cybersecurity is all about. It is a way to draw in your people and your business processes with cybersecurity strategic planning. As an IT Director for your company, you are a natural fit to help promote and encourage the use of a security awareness training program.


As a facilitator for security awareness, with wide scope knowledge of the IT infrastructure and data flow of your organisation, you are uniquely positioned to ensure that the training is applied in inline with your company objectives.


  1. Security awareness for all: Security awareness training is not a one size suits all package. It needs to be tailored to suit departments and employees. A good security training awareness program offers an IT Director the flexibility needed to manage the varying infrastructures of different types of organisations.
  2. Blended with your business: As Head of IT you have been integral in the application of technology across your business. You also know how that technology is used. Security awareness training can be used to blend “practice with people with company strategy”. You can develop training programs that fit with your business and your users.
  3. Easy reporting: Security awareness training programs need to have ways of giving you insight into the effectiveness of the training. Good reporting practices can be an effective tool in spotting trends and patterns in human behaviour helping you to focus in on poor cybersecurity hygiene and practises.
  4. Ease of use: Security awareness training should never be boring and should always be intuitive and easy to use. Your focus should be on how it benefits your employees. And, many of the benefits of security awareness training extend out of the office into the personal life of the employee. One of the ways to improve the usability of a training package is through the use of gamification. Security awareness training that utilises gamification techniques has been shown in a study by the Norwegian University of Science and Technology to have “positive effects when used in a security context.”


In Conclusion


As an IT Director you dovetail at the juncture of technology and users. Bringing these forces together through an effective security awareness training program will reap benefits in terms of reducing the overhead on your IT infrastructure. Someone once said that “Knowledge is power” and this holds true in the case of the onslaught of cyberattacks that we all face.

Share this: